Back to Blog

ArcadeDB 26.7.2: Deep Engine Audit, Neo4j Bolt Certification & 5 Critical Security Fixes

ArcadeDB 26.7.2 Release

We’re pleased to announce ArcadeDB 26.7.2, a stability and correctness release that resolves over 130 issues. Where 26.7.1 focused on Raft resilience, OpenTelemetry tracing, and standards alignment, 26.7.2 turns the spotlight on the deep internals: a full engine audit across storage, WAL recovery, transactions, LSM indexes, and concurrency. On top of that it completes Neo4j Bolt driver certification, hardens High Availability further, and ships five critical security fixes.

Major Highlights

Deep Engine Audit

The heart of this release is a systematic audit of the storage and execution engine. These are the guarantees you rely on every commit, tightened across the board:

  • Storage & recovery: WAL append is now the transaction’s point of no return, with pre-write validation. Torn 64KB page writes are repaired during recovery, and the page cache prevents both lost updates and unbounded growth.
  • LSM index stability: Compaction no longer loses re-inserted keys or leaks orphaned pages, range scans are no longer truncated by tombstoned entries, and non-unique lookups no longer resurrect deleted records.
  • Transaction safety: Double-indexed updates within a single transaction no longer corrupt indexes, dead-thread cleanup rolls back abandoned transactions properly, and virtual-thread compatibility is restored.
  • Parallel query safety: A dedicated thread pool for bucket scans prevents deadlocks, each worker gets an isolated command context, and native iterators bound producer offers and close cleanly.

These are the fixes you feel under load and during the unhappy path, not in a benchmark.

Neo4j Bolt Driver Certification

ArcadeDB now achieves full compatibility certification with the Neo4j Bolt driver:

  • Native temporal PackStream structures: date, time, datetime, and localdatetime.
  • Native Path, Duration, and Point types.
  • Retryable conflict mapping so the driver’s auto-retry works out of the box.
  • HA-aware ROUTE responses and Bolt 5.x negotiation support.
  • Populated write-result counters.

Security Hardening: 5 Critical Fixes

This release patches five critical vulnerabilities. Upgrading is strongly recommended for internet-facing and multi-tenant deployments:

  • RCE via JavaScript triggers: java.lang.* classes are removed from trigger allow-lists, restricting to benign packages only.
  • Arbitrary JavaScript execution: defining js functions now requires UPDATE_SECURITY with restricted polyglot access.
  • Secret disclosure via API: server settings now redact all hidden configuration keys, including cluster tokens.
  • Cross-database IDOR: authorization checks added to 14 HTTP handlers to prevent unauthorized database access.
  • Read-only mutation of schema: missing UPDATE_SCHEMA guards added to schema and config mutators.

High Availability (Raft) Enhancements

  • Durable Raft storage now defaults to true, preventing follower divergence.
  • The leader auto-recovers wedged replication channels.
  • A new TransactionCommittedRemotelyException (HTTP 409) prevents duplicate retries.
  • Offline bootstrap leadership-transfer now commits a baseline.

Major Fixes

Query Engine: OpenCypher

  • Dynamic property mutations (SET n[key] = value) are now applied.
  • Inline relationship filters are enforced in MATCH, exists(), comprehensions, and shortest-path queries.
  • FOREACH updates are visible to subsequent RETURN clauses.
  • Pattern comprehension and correlated subquery corrections.
  • Temporal normalization is applied in index scans.

Query Engine: SQL

  • FROM is now usable as a property name in DDL and queries.
  • ORDER BY on non-indexed properties returns correct results.
  • TRAVERSE with MAXDEPTH corrected; BREADTH_FIRST now performs true breadth-first traversal.
  • Map indexing and array serialization fixes.

Additional Features

  • User-defined functions are now persisted and distributed across HA clusters.
  • Configurable vector quantization for sparse vector indexes.
  • Commutative append-merge removes retry storms on high-degree vertices.
  • Extended Cypher write-counter surfacing over HTTP and gRPC.
  • Point datatype and spatial index support.
  • Python binding performance improvements.

Dependencies

Notable upgrades include Netty 4.2.16, Jackson 2.22.1, PostgreSQL JDBC 42.7.13, GraalVM 25.1.3, and Neo4j Java driver 6.2.0, plus the usual round of updates.

Breaking Changes

Two behavioral changes to note when upgrading:

  1. Raft storage durability: arcadedb.ha.raftPersistStorage now defaults to true. Ensure the storage directory resides on durable media. Test clusters can opt out explicitly.
  2. Bolt temporal types: temporal values are now transmitted as native PackStream structures instead of ISO-8601 strings. Clients must read native types (e.g., asZonedDateTime()) rather than strings.

Getting Started with 26.7.2

Docker

docker pull arcadedata/arcadedb:26.7.2

Visit our Docker Hub repository for more information.

Maven

<dependency>
    <groupId>com.arcadedb</groupId>
    <artifactId>arcadedb-engine</artifactId>
    <version>26.7.2</version>
</dependency>

All artifacts are available on Maven Central.

Documentation

For detailed information on features and usage, refer to our comprehensive documentation.

Compatibility Note

This release maintains 100% compatibility with previous database formats, meaning no export/import is required when upgrading. As always, we recommend creating a database backup before upgrading.


Download ArcadeDB 26.7.2 now: GitHub Releases

Thanks to everyone in the community who reported issues, opened PRs, and helped shape this release.

Luca Garulli ArcadeDB Founder